Friday, February 28, 2003

Auriemma Luigi wrote an advisory warning how online gaming servers can manipulated to cause a sort of amplication denial of service attack. We've seen similar issues with DNS in 2000. UDP in general is susceptible to these sorts of attacks because no connection is required.

Wednesday, February 26, 2003

Page 260 of the second edition of Hacking Linux Exposed gives a simple trick to prevent X from listening on port 6000. If you run the X Window System using 'startx' from the command prompt, and have nothing but sshd listening, you'll find port 6000 listening once X starts:

I found an article on using undocumented features in VMWare. Essentially the author wrote tools to interact with the VM software itself from within a virtual machine. One of the tools was ported to Linux and it works.

I found an article on running KDE on Windows using cygwin. I got KDE to start but couldn't launch any applications due to a "DCOP error". To get KDE to work I had to make the following adjustments, some of which were listed in the article:

Saturday, February 22, 2003

While reading the second edition of Hacking Linux Exposed, I learned of a simple yet useful tool called Pluf Simple Hostname Scanner, or plushs. I downloaded version 1.2 and installed it without problems on FreeBSD 5.0 REL. You can use plushs to rapidly find PTR records for specified IP ranges. This example returns all PTR records from IPs in the 195.5.3.0/24 block.

Wednesday, February 19, 2003

Before reading "Web Services Security" (WSS), my knowledge of Web Services relied on a few magazine articles and chapter 10 of "Hacking Exposed: Web Applications." After reading WSS, I have a better idea of how Web Services work and how a variety of acronyms (XACML, XKMS, SAML, etc.) provide security. This 312 page book isn't lengthy enough to make you a Web Services security expert, but it provides a good foundation for consultants and other professionals.

I just learned the ISP which hosts taosecurity.com can't seem to find my files...great. I am redirecting taosecurity.com here until I deploy a backup, or until the ISP gets its act together. Due to DNS changes it may be a while before taosecurity.com appears here.

Tuesday, February 18, 2003

According to my friend Bamm Visscher, I just became user number six of Sguil, an interface for the Snort intrusion detection engine. It's in early alpha stages but it smokes everything else available. It's built BY an analyst FOR an analyst. I spent a chunk of the weekend writing this 4 MB installation guide pdf for it. The 13 MB sguil_complete_17_feb_03.tar archive I mention in the installation guide can be downloaded here, for now. There is also a Sourceforge site. Enjoy!

Saturday, February 15, 2003

"...public scrutiny is the only reliable way to improve security. There are several master key designs that are immune to the 100-year-old attack that Blaze rediscovered. They're not common in the marketplace primarily because customers don't understand the risks, and because locksmiths continue to knowingly sell a flawed security system rather than admit and then fix the problem. This is no different from the computer world. Before software vulnerabilities were routinely published, vendors would not bother spending the time and money to fix vulnerabilities, believing in the security of secrecy. And since customers didn't know any better, they bought these systems believing them to be secure. If we return to a world of bug secrecy in computers, we'll have the equivalent of 100-year-old vulnerabilities known by a few in the security community and by the hacker underground."

Wednesday, February 12, 2003

Marcus Ranum, one of the smartest security visionaries around, made an interesting post on 31 Dec 02 to the Focus-IDS list. He's right, as usual, about several issues. I especially applaud his proxy firewall ideas:

"About a million years ago I was designing and coding firewalls. I wrote pure proxy firewalls. OK, actually, I _invented_ pure proxy firewalls. You know what? I still think that, for security, it's The Way To Do It and everything else sucks. But the industry appears to disagree. That's OK, it's customer choice. But if I was reviewing product firewalls, guess which ones I'd say sucked and which didn't? If I developed a firewall testing methodology, NONE of the packet screens would have cut it. And people would have been able to accuse me of trying to promote my own product because my _beliefs_ and my _implementation_ were inseparable."

This article discusses splitting the Joint Task Force - Computer Network Operations (JTF-CNO) into two separate units -- one for attack and one for defense. I remember when the JTF-CND was created, and then became the JTF-CNO. I didn't know that STRATCOM and SPACECOM had merged as of last October, though! From the article:

No full-scale cyberattack on the United States from a known enemy has been documented, and that also complicates the issue because DOD would not want to attack a nation-state's computer operations based on the actions of a few skilled hackers, Campen said. He added that it is not clear whether a cyberattack would be anything more than a nuisance to U.S. enemies unless it was done in conjunction with more traditional acts of war.

Amazon.com just posted my five star review of Absolute BSD. From the review:

This is the sort of book I've been waiting for, since reading Annelise Anderson's "FreeBSD" almost one year ago. Michael Lucas is well-known for his articles, and his knowledge and easy conversational style shine in "Absolute BSD." Of the four books I've read with "FreeBSD" in the title, this has been the most helpful -- but not necessarily the most comprehensive.

Tuesday, February 11, 2003

SOAP leaves some things unchanged. Your firewall will permit access to public Web servers that provide Web services and block access to internal servers. And internal clients will still be permitted to visit Web servers and read e-mail. But the paradigm changes here, as the emphasis changes from execution of remote methods on remote servers to include the execution of remote code on local clients. Execution of remote code on IE is already well known as a successful attack vector. Will the security features of .NET or Java mitigate this threat?

Friday, February 07, 2003

The Washington Post offers an interesting article about the U.S. government's preparations for "cyber warfare" in Iraq. From the article:

The full extent of the U.S. cyber-arsenal is among the most tightly held national security secrets, even more guarded than nuclear capabilities. Because of secrecy concerns, many of the programs remain known only to strictly compartmented groups, a situation that in the past has inhibited the drafting of general policy and specific rules of engagement.